Campus network security technology lecture

Most campus networks have become part of the Internet. The Internet is no longer free to use, making campus network security especially important. Here I will discuss the following issues:

○ Why is the Internet insecure?

Network System Security Management Measures

○ Network security tools

○ Other security information

I. Why is the Internet insecure?

The Internet is inherently insecure, because the first Internet builders did not consider security as a problem. In its early days, Internet was an open Internet service for researchers and a completely non-profit information sharing carrier. Therefore, almost all Internet protocols did not consider security mechanisms. This is fully reflected in the plain text transmission of user passwords in FTP, Telnet, and email, and the broadcast transmission of IP packets in subnet segments. However, in recent years, the nature of the Internet and the situation of users have undergone great changes, making the security of the Internet more and more prominent. With the popularity and commercialization of the Internet, many users are very private, such as credit card numbers and information related to their own interests are also transmitted over the Internet, and more information is put online for profit, instead of completely free information sharing, security has become a matter of increasing concern.

Another reason for the security of the Internet is that it is easy for people to obtain the relevant core technical information from the Internet, especially the technical information about the Internet, such as RFC, FAQ, and original code of various applications, for example, the original codes of TCP/IP, Sendmail, FTP, and other security tools are also public and free, such as the controversial SATAN and Crack. It is good to share these materials, but it will inevitably lead to counterproductive results.

Another critical factor in Internet insecurity is the lack of security awareness among users, especially those who do not know computer and Internet technologies. Few users read the RFC1244 Security Manual or follow the advice from the CERT security organization. For most users, it is all right to manage their own passwords, but how many users are willing to take a hard-to-remember password? Convenience and security always conflict with each other and it is difficult to have both sides.

To put it bluntly, the Internet is not secure because people are themselves. We only need to take a look at the increasingly thick anti-theft door to understand it. Today, firewall, which is more complex than anti-leech protection, has emerged on the Internet to prevent malicious or curious hackers, there are also various private keys or public keys to protect information transmitted online.

Disturbing the Internet is an unavoidable reality. Let's face up to this reality and talk about the security measures we can take.

Ii. Network System Security Management Measures

Most of the attacks on the Internet are targeted at server systems on the network, including email, anonymous FTP, WWW, DNS, News, and other service systems. Most of these systems run on UNIX systems, including SUN's Solaris, sco unix, HPUX, SGI's IRIX, IBM's AIX, and Linux. There are various factors that make the system vulnerable to attacks. First, these systems are well-known and tend to attract attention. Second, the system itself has vulnerabilities. On the one hand, we can adopt some defensive measures; on the other hand, network system administrators can use some tools to find system security vulnerabilities or intercept packets from the Internet for analysis. Next we will take Sun's Solaris as an example to introduce which security measures can be used.

(1) install System Patches)

Any operating system has vulnerabilities. As a network system administrator, you have the responsibility to promptly Patch patches. SUN provided a large number of patches on their websites in time to compensate for the security vulnerabilities of their operating systems. These patches can be obtained from SUNSITE sites in various regions. The addresses of these Patches on Peking University FTP are:

Ftp://ftp.pku.edu.cn/pub/Sun/sun-info/sun-patches

(2) Use the latest version of the service provider Software

Like the operating system, the service provider software running on the server also needs to be constantly updated, and the new version of the software often provides more and better functions to ensure more effective and secure operation of the server. To minimize security vulnerabilities, the system administrator must promptly update the service provider's software. The following describes the latest versions of the service provider software:

* DNS software: Bind-8.x

* Anonymous FTP software: Wu-ftpd2.4.2-academ [BETA-18]

* Image software: Mirror-version 2.9

* Sendmail: Sendmail8.9.x

* News: INN2.1

* HTTPD: Apache_1.3.x

These versions are updated very quickly. You can track their official home directories to obtain the latest software.

(3) password security

Passwords can be said to be the first line of defense of the system. Currently, most of the attacks to the system on the Internet start from interception or speculation. Once a hacker enters the system, the preceding defense measures have almost no effect. Therefore, it is important for the system administrator to manage passwords securely.

Currently, most Unix systems store user account information and encrypted passwords separately. The/etc/passwd file does not contain encrypted passwords, the encrypted password is stored in the/etc/shadow file, which is readable only by the root user. Note that some system accounts, such as uucp, ftp, and news, must not set Shell variables such as/bin/sh and/bin/csh, you can leave their Shell variables empty in/etc/passwd, or set them to/bin/ftponly. /Bin/ftponly can be a simple Shell program, as follows:

#! /Bin/sh

Echo "Sorry, ftp only allowed ."

Exit 0

Do not forget to add/bin/ftponly to/etc/shells.

(4) file directory permissions

Pay special attention to all the SUID and SGID files in the system, because once a hacker enters your system, he can obtain super user permissions through these programs. Currently, Interenet has many tools and software that can help you check permissions. We will introduce them below.

(5) restrict network users' access to the system

This restriction can be divided into two steps:

1) use IP addresses to restrict access. This is achieved by installing the TCP_Wrappers software.

The software can control access IP addresses such as telnet, ftp, rlogin, rsh, finger, and talk, for example, you can only allow some machines in the network control center to perform these operations on the server.

2) The superuser password is only available to the system administrator and must be modified on a regular basis. In addition, remote logon to the root user is not allowed, which is set by default in the system file/etc/default/login.

(6) disable unnecessary service ports

Modify the/etc/services and/etc/inetd. conf files to disable unnecessary services and service ports.

(7) regularly back up the server

In order to prevent unexpected system faults or users' improper operations, the system must be backed up securely. In addition to monthly backup for the entire system, you must back up the modified data once a week. At the same time, the modified important system files should be stored on different servers, so that the system can be restored to the optimal state in time in case of a system crash (usually a hard disk error.

At present, all types of Unix systems have powerful backup tools, such as ufsdump and ufsrestore in Solaris.

(8) set system logs

By running the system log program, the system will record all users' usage of the system, including the last logon time, each command entered, disk space and CPU usage. The log program periodically generates reports. By analyzing the reports, you can check whether exceptions occur. For example, if you find that an account is always logged on in the middle of the night, you must be cautious. Maybe the account has been stolen; if a system account such as uucp is logged on or occupies a large amount of CPU or disk, you should also pay attention to it.

In Solaris2.x, run/etc/init. d/acct start stop to start or stop system logs. All log information is stored in the/var/adm/acct directory.

The main disadvantage of running system logs is that it occupies a large amount of disk space.

(9) regularly checks system security.

This check is implemented by regularly running system security detection tools. With these tools, you can check:

○ User password security, including the password content, format, and storage period.

Evaluate the validity of the file access permission, including the existence or absence of the SUID File, the file or directory with the permission of 777 or 666, the system file consistency check, and the validity check of the user's home directory and Startup File.

○ Set security check for anonymous FTP.

Evaluate the implicit shells in tftp, decode alias in sendmail, and inetd. conf.

Evaluate the NFS file system sharing security check, including $ HOME/. rhosts,/etc/hosts. equiv, etc.

Evaluate the CERT Security Vulnerability Detection.

Popular Internet detection tools include:

○ COPS (Computer Oracle and Password System): A Tool Group that generates a result report after running. The system administrator needs to analyze the report to make up for the discovered vulnerabilities.

Dr. SATAN (Security Administrator Tool for Analyzing Networks): is the most common network Security analysis Tool with a good user interface. It has an HTML interface and can select targets in various forms to generate a result table. A prompt is immediately displayed when a vulnerability is detected. Vulnerabilities that SATAN can scan mainly include: anonymous ftpd vulnerabilities and writable directories; NFS, NIS, RSH, Sendmail, and X server vulnerabilities.

"Crack: Password checker. The standard 8-character DES encryption password is found through standard speculative technology.

○ Shadow: Provides Password Hiding, supports 16-bit passwords, checks user passwords and provides relative strength, and records failed logon attempts.

 passwd +: Another password check command. It is used to perform a series of rule checks on the password when the user selects the password, forcing the user to make other choices for the password that does not meet the requirements.

"Snoop" and "Tcp-dump": monitors packets transmitted over the network in real time and is useful when the network runs abnormally. Snoop is a system command of Solaris2.x.

Ü Tripware: The file system check program mainly checks the usage and modification of the file system.

These tools are basically free software for the Internet and can be obtained from the corresponding homepage or anonymous FTP site. You can also obtain it on Peking University FTP. The specific directory is/pub/cert/tools. The following describes the main tools.

 

Network security tools

(1) COPS-System Security Detection

COPS performs security checks on Unix systems. Its main detection targets include the following:

Check the permissions of files, directories, and device files.

Important System Documents